Friday, November 08, 2013

One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, followed by a single "emoticon" email, with an attachment that promises to be a picture.

The emails had a wide variety of subjects and were coming in fast and furious around 4:00 this morning:

A query in the Malcovery Spam Data Mine shows the variety of subjects used in the campaign:

The campaign was further confused by the fact that every email attachment had a unique MD5 hash (one of the tricks we use to cluster emails is to look for them to have the same attachment).

I won't go into the technical details of how it works, but the ZIP file contained an SCR file -- an old filetype that used to be a common way for people to share "Screen Saver" files. Trying to "view" the Image file from inside the .ZIP actually results in the .SCR file being executed, and downloading and executing the file "soft.exe" from the website at 91.216.163.208 as you can see from this code-dump of the SCR file.

The file failed to run in our default analysis Sandbox so we had to break out the Raw Iron ... since the malware was being so paranoid, I used a camera to document what came next rather than taking screenshots in the program.

The Fake AV was called "AntiVirus Security Pro" and popped up in the typical fashion to run a "Full Scan" of my system:

While it was running a pulled a running process name and found that the malware had copied itself to my "Local Settings\Temp" directory and was running from there with the name "dnn9d9n39dn93nd39b9d393d3bdb.exe" (as you can see in the CMD window behind the scan above.) That file was 569,344 bytes in size.

After the scan completed, I went ahead and told it to Repair All of the threats it had found.

Unfortunately, it failed to repair some of the infections, because I was running a "limited version" of Antivirus Security Pro.

But there is HOPE! Even though "Not all threats have been eliminated." I could "Buy Full Edition" to fix the remaining 19 threats! What a relief!

When I chose not to do that right away, the Fake AV popped up occasional helpful HINTs that said "We strongly recommend activating full edition of your antivirus software for repairing threats."

Pretty darn expensive Fake AV! To the authors - please note that you are more likely to get the $99.99 for a LIFETIME license as opposed to six months. Nobody is going to pay $59.99 for a 30 days license, but we also aren't going to pay $99.99 for only 6 months! Maybe you could try 1 year, 2 year, 5 year?

Sadly, my credit card didn't clear. I'm shocked. I tried really hard to make up a valid card number! The good news is that the "Antivirus Tech Support" link on my desktop would take me back to the shop anytime I wanted to try again by visiting "techprotectorltd.com":

Fake AV IS A CRIME! REPORT IT!

Were you a victim of this scam? Whether you paid for the Fake AV or not, I would strongly encourage you to report your experience to the Internet Crime and Complaint Center by visiting: IC3.gov and using the "File a Complaint" button!